New issue
Advanced search Search tips

Issue 648876 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Sep 2016
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug



Sign in to add a comment

Security: Password storage issue

Reported by 4s1mk...@gmail.com, Sep 21 2016 
As we can change the password type to text through inspect element.That used to show text version of stored password,but recently I have detected that if someone enters their password and delete the history after that. We can check his password by changing password type and it works in incognito mode too.You just have to click the password box after changing password type or press the key word like all the alphabet,characters,and digits one by one and grab his recently typed password.
I am here to report this issue I found myself in maybe it have some other aspects.
Untitled.png
310 KB View Download

Comment 1 by elawrence@chromium.org, Sep 21 2016

Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Status: WontFix (was: Unconfirmed)
The ability to use the developer tools to unmask passwords is expected and is not a security bug. An attacker in a position to undertake this attack can access your data in many ways. 

Please see https://www.chromium.org/Home/chromium-security/security-faq#TOC-What-about-unmasking-of-passwords-with-the-developer-tools- for discussion.

The reason the autocomplete behavior changes for the INPUT control in your scenario is that the INPUT control is no longer a password field and thus it uses the standard autocompletion logic and UI instead of the password autocompletion logic and UI. This is expected.

Sign in to add a comment